if i see this right, this is still pending?
since the approveCSR seemes to switch directly to the status APPROVED_REQUEST?
so what would we need? a config parameter which defines the number of required signatures
checking how many already there set the status to SIGNED_REQUEST or keep this one till enough signatures are there?
or did i miss something? ;o) didn't find any hints in the current documentation nor the code visiting...
There is no code present. I introduced the state SIGNED_REQUEST for a future implementation. The idea was to have a small XML-file with the following format:
<openca>
<good_name>
<acl>
<type>CSR</type>
<new_state>APPROVED</new_state>
<signature>
<role>CA Operator</role>
<count>1</count>
</signature>
<signature>
<role>RA Operator</role>
<count>1</count>
</signature>
</acl>
</good_name>
</openca>The implementation was stopped because the project which requires this advanced mechanism for the integration of a privacy officer was canceled.
i'm just asking, since the option is present at the menu structure, but somehow i can't use it...
- would it be possible to define some roles or even certificates
at ra/ca level, which are allowed to sign? i mean at ra level it should working through rbac definitions
Here we have two different levels of access control. The RBAC system has to limit the use of functions (who can do what). The new system controls the workflow.
- but an kind of automatic verification at the ca against defined roles or single certs (through there serial numbers for example) would be fine, so the ca-operator can not just see - there is a valid signature, in terms of, can be verified and has to be checked manually...
The new controls are not only used for state changes. You can use it of course for state verification too. The problem is that the verification of this ACL is not trivial.
- i think it would be very usful to see - cert is valid and is allowed to sign... so mistakes are easier avoidable at the ca-level and the operation gets simplified, i think
This was the idea. We wanted to integrate this functionality into approveCSR, viewCSR, issueCert and bpIssueCert.
If you have some time then you know what you can do :) I scheduled it back to 0.9.3. Should we schedule it as one of the more important features?
Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
